ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

CPYTOIMPF / QNTC / Un Matched user ids

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    CPYTOIMPF / QNTC / Un Matched user ids

    Hi All:

    I'm trying to use this:
    Code:
      cpytoimpf fromfile(qtemp/myfile) tostmf('/qntc/server/users/myfolder/myfile.csv) 
  mbropt(*replace) stmfccsid(*pcascii) rcddlm(*crlf) strdlm(*none) rmvblank(*trailing)
    This works great when my IBMi userid = my network id. My issue is that I have network user id's
    that are longer than 10 chars. As a result MyIprofile does not have permission to MYNetworkprofile
    or any directories belonging to him.

    I know that I can create a network id that matches the IBMi id but passwords need to be changed every 30 days and I don't want the users maintaining 3 profiles (windows/windows matched to IBMi/IBMi)

    Short of single sign on is there any solution to my issue?

    Another wrinkle is that I need to kick off a batch file after the file has been downloaded

    Thanks in advance for any assistance

    GLS
    The problem with quotes on the internet is that it is hard to verify their authenticity.....Abraham Lincoln
    Tags: None
  • #2
    Re: CPYTOIMPF / QNTC / Un Matched user ids

    I ended up swapping user profiles with one that has all permissions to the IBMi and the network.
    AS400 how to Switch user profile programmatically during runtime
    http://www.mysamplecode.com/2012/06/as400-switch-user-profile.html
    Well a few days back I was working on a program that was using DDM files. Now for DDM files to work you have to add authority for each user ...


    GLS
    The problem with quotes on the internet is that it is hard to verify their authenticity.....Abraham Lincoln

    Comment

    • #3
      Re: CPYTOIMPF / QNTC / Un Matched user ids

      I don't know if you are the only person using this process or if it's available for anyone to use but I really don't like using the swap user profile APIs - they do pose security risks that you should be aware of. This isn't such an issue with batch jobs but if running this process interactively (and well, if anyone has a command line they can call it interactively anyway), there is the danger that the persons job will remain in the swapped-to profile until they log off. You say the swapped-to profile has all permissions to the IBM i (which I assume means all special authorities). This seems excessive and very likely unneccessary and should be raising alarm bells.

      e.g.
      What happens should the process fail?
      What if they bring up a command line during this process somehow?
      Can they break out of the program (e.g. SysReq-2)?

      The code posted won't swap profiles back should something error and the user could be permanently running under the other profile without their knowledge. It should have some sort of error monitor to ensure that the profiles are swapped back should an error occur. As to the others possiblities, it would be best if this ran in a batch job to prevent those from happening.

      Also, as an aside, I notice the code doesn't release the profile handle afterwards (calling QSYRLSPH) - there is a limit to the number of open handles a job can have though it's rather large so unlikely you'd ever reach it.

      Comment

      • #4
        Re: CPYTOIMPF / QNTC / Un Matched user ids

        The Profiles are not switched, the job is run under the profile you switched to. If the job ends abnormally then the profile change is lost. You should always use the PASSWORD for improved security, I would also suggest encryption is used from the source to the program to ensure no snooping on the network could easily identify it. I have used this technique a lot to allow remote authority and program use.

        Chris...

        Comment

        Previous template Next
        Working...
        X